Links

Tuesday, June 5, 2012

Burp Intruder and Timing Options

Say you need to brute force something. Many devices (like Juniper SSL VPNs) will tell you to go to hell if you throw too many failed attempts at it to quickly. That sux.

I regularly use Intruder to do my brute forcing for me, specially since you can add timing options.

You can intercept your request, send to intruder, then add a payload marker for the username (and password if you want to do username/username)

Setting the payload spots

So if you just want to iterate through a list of usernames with the same pass, you just set the pass then go to payloads and add your userlist. Above, I'm doing username and username as the password and using the pitchfork attack type. ( I think Ken has gone over this in depth, so i'll stop explaining all that unless people ask for it).

Our list of usernames

Once that is set up, you can play with timing options from the options tab. This will adjust number of threads and how long to wait in between requests.

Timing options

You may also want to send everything through tor. Check the Burp main options tab.

4 comments:

1) You'll have told the customer your range of source IP addresses, so if you're using Tor they can't tell the difference between you and a genuine attack. Unless testing their responsiveness is specifically part of your scope all you're doing is creating unnecessary problems for the administrators.

2) By using Tor, aren't you putting the owners of the Tor exit notes at risk by attacking through them?

1. i have, on occasion, be asked to play the dont get caught game. thus giving them the IPs i'm coming from would be counter-productive to the point of the test. The goal is/was to let them work their process, block ips, investigate, whatever their SOP is.

2. i guess?? if i substituted random open proxy would you feel better about it? if its really causing someone heartburn/moral dilemma they could stand up a linode or buy a vpn acct at one of the many vpn providers and tunnel through that. still goes in either socks proxy section or upstream proxy servers section.

3. i guess neither apply if someone were to be doing extracurricular activities anyway... in which case they wouldnt give two craps about #1 or #2